In a previous post, “Why IT Inventory Sucks” (it does), I figured it would make sense to follow up with some suggestions to mitigate, alleviate, conflagrate, fold, spindle, or mutilate, or possibly eliminate the sources of the inventory unhappiness.  The most efficient approach is to hit each of the main inventory sources, since they reside at a higher level than human/business organization and culture issues.  But rather than hit the five (5) beasts individually, they can be grouped.

The “big five” (5) I described in that post were:

  • Active Directory
  • SCCM (System Center Configuration Manager)
  • Purchase Records
  • Maintenance Records
  • Disposal Records.

The last three (3) are typically managed by an Asset Management role.  The first two (2) are typically managed within a traditional IT role, sometimes in the same group, but more often in separate groups.


Create (or reorganize) an Asset Management role.  Whether it’s a person or a team, it doesn’t matter.  But having someone in charge of overseeing inventory is better than nobody.

Make sure the Asset Manager role has some jurisdiction with regards to peer-level relations with Purchasing and HR in particular.  This will help get answers to questions about Purchase Orders, disposal records, and employee hires and terminations.  It doesn’t matter if this role is placed under the IT organization, or not.  But if it’s separate, it also needs peer-level authority with IT.  If possible, this roles should be a peer-level role with InfoSec.

The main point of this is to have someone (or some group) in charge of connecting the dots of the lifecycle of an asset.  From purchase to disposal, and everything in between.


Active Directory

Assign someone, or some group, the responsibility of insuring it stays clean.  Part of their role should be to establish a standard communication.

Review and update the following:

  • DNS scavenging
  • Site links and inter-site replication

If replication is not working 100%, you may be unable to detect accurate “lastLogon” and “lastLogonDate” values from LDAP queries (regardless of script language or application). Tuning Active Directory can help a great deal, even though it’s often considered low priority.

Establish an automation process for handling user accounts for terminated/retired/expunged/vaporized employees and their associated assets.  This can be done with very little effort using scripts, utilities, duct tape and chewing gum, along with a scheduled task/job.  The Internet is full  of stuff like that, just go forth and Google it (or contact me for an estimate).

SCCM / ConfigMgr

Review the discovery settings, boundaries and boundary groups.  Make sure the discovery account (or site server account) has permissions to poke into every nook and cranny throughout your AD forest environments (yes, plural).  Adjust “last-logon” thresholds on discovered systems and users.

Review your resource management settings and consider things like obsolete and inactive clients.  Use the client health status reports as a flashlight to chase down disposed devices.


Whatever you do, please, do NOT rely on Excel or Access to be your one-size-fits-all inventory repository.  Use a real database.  If you can, put that database in the cloud.  Document-based storage on a hard drive or thumb drive is just waiting to be lost or corrupted.  Good luck.


Basically, the operative word is “oversight”.  Put someone on the trail and give them authority to chase things down and clean things up.  If management whines and snears at the idea, focus on tying dollars to the effort.  By that, I mean associating time and money spent with potential money savings (licensing, maintenance fees, support fees, etc.).  If that doesn’t work, sit them down and give them a nice, thorough presentation on what software license audits are like.  If that doesn’t work, start here.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s